Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Payments Security – Vital Information all Payment Processors need to know

398 views

Published on

CASC Member Dean Coclin, Symantec's Transact conference 2016 presentation on the CA/B Forum, the problem with SHA-1 and future solutions to the problem.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Payments Security – Vital Information all Payment Processors need to know

  1. 1. Payments Security – Vital Information all Payment Processors need to know Dean Coclin Sr. Director of Business Development Chair CA/Browser Forum
  2. 2. Agenda 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 2
  3. 3. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 3
  4. 4. Who is the CA/B Forum? 4 The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications. http://www.cabforum.org
  5. 5. CA/B Forum: A Brief History 5  CABF starts as a loose association of CAs and browsers to draft guidelines for EV SSL Certificates  Membership expands globally, currently 52 CAs and 6 browsers  EV Guidelines generated and approved  Baseline Requirements formulated and passed  Network Security document created and finalized  All publicly trusted CAs, whether members of CABF or not, must adhere to guidelines! 20142007 2008 2009 2010 2011 20122006 2013 2014 2015
  6. 6. CA/B Forum members 6
  7. 7. Roles of parties in the CA ecosystem 7 Server Auditors Browsers Root Certificates
  8. 8. CA/B Forum Facts and Misconceptions • Rules are codified in “Baseline Requirements” documents • The Forum cannot grant “exceptions” to its rules • All rules are made by ballot • Browsers and CAs have separate voting groups: – 2/3 of CAs must approve + Majority of Browsers must approve • All meeting minutes, mailing lists are public • The Chair does not have the authority to waive any requirements 8
  9. 9. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 9
  10. 10. Payment Terminals are all over the map • Many different terminals… – Manufacturers – Software versions – ROMs • …which trust various root certificates… – SHA-1 – SHA-2 – Many only trust Verisign roots • …causing difficulty in determining which terminals work with SHA-2 10
  11. 11. Many didn’t know until it was too late… • Processors, while most were aware of the SHA-1 deadline, didn’t realize the extent of the problem • Limited data on existing terminals, limited testing opportunities • EMV would dictate update timeline • RESULT  Panic calls to CAs after the deadline Copyright © 2014 Symantec Corporation 11
  12. 12. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 12
  13. 13. What is a hashing function? • An algorithm that maps large data sets of variable length to smaller data sets of fixed length • Used as a “fingerprint” or “checksum” • It should be “impossible” to find two data sets that map to the same hash value • Used in digital signatures to avoid having to encrypt the large data set • Examples: MD2, MD5, SHA-1, SHA-256 • SHA: Secure Hash Algorithm Copyright © 2014 Symantec Corporation 13
  14. 14. Why SHA-1 Migration? • Risk of collision attacks* – (no known security breaches to date) • NIST recommendation: transition to SHA-256 (SHA-2) 14 *Source: http://csrc.nist.gov/groups/ST/hash/statement.html
  15. 15. In Response*… 15 *Source: https://technet.microsoft.com/en-us/library/security/2880823.aspx http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html, https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
  16. 16. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 16
  17. 17. SHA-1 certificates for the payment industry • In order to continue issuing SHA-1 certificates (for non-browser users), some CAs have removed roots from public (browser/OS) trust stores • These roots had excellent ubiquity and are likely present in many payment terminals • Because they are no longer trusted by browsers/OSes, CA/B rules do not apply 17
  18. 18. Private CA with retired root • A cross-intermediate CA for Private CA – Private SSL can chain to up to a retired root via a cross cert • Customers don’t need to distribute the Private root to clients • This solution works for only non-browser applications Server E/E cert ICA cert Cross cert Non-browser (POS, Set box) Browser* *Private root needs to be pre-installed
  19. 19. SHA-2 certificate from SHA-1 intermediate • Issue a SHA-2 certificate from a known SHA-1 intermediate • Some payment terminals seem to work with this method • Terminals were found to check for a “hard coded” name in the intermediate certificate (which was “Verisign”) • Use an old Verisign SHA-1 Intermediate to issue the SHA-2 certificate 19
  20. 20. Going Forward…. • Move away from CA/Browser Forum publicly trusted roots • Create separate “roots of trust” specific to the payment industry • Distribute these roots to terminals in a trusted fashion • Roots can be used under payment industry rules and guidance 20 Root Certificates
  21. 21. Thank you! Dean Coclin Email: dean_coclin@symantec.com Twitter: @chosensecurity Office: +1 617 252 3035

×